What Are Trusted Execution Environments?
When an AI system processes sensitive data — a loan application, a medical diagnosis, a compliance decision — you want to be certain that data is processed correctly and that no one outside the authorized process can observe it. Traditional software security guarantees end at the operating system or hypervisor boundary. Trusted Execution Environments (TEEs) extend security down to the hardware level.
The trust gap in conventional cloud computing
In a standard cloud deployment, your application runs in a virtual machine or container managed by a cloud provider. The provider’s hypervisor and staff have the technical capability to inspect memory in a running VM. You trust them not to do so contractually, but not cryptographically.
For most workloads this is acceptable. For high-stakes AI processing in regulated industries — where your application is generating compliance records that may be used as legal evidence — cryptographic guarantees provide a stronger foundation.
What a TEE provides
A TEE is a hardware-enforced isolated execution environment where:
- Memory is encrypted at the silicon level — the CPU encrypts all data in the TEE’s memory region. The cloud provider’s hypervisor cannot read plaintext data even with physical access to the machine.
- Code integrity is verified — the TEE measures the code loaded into it and produces a signed report (an attestation) that anyone can verify. If the code was tampered with before loading, the attestation will not match the expected measurement.
- Remote attestation is supported — a third party (or the platform itself) can cryptographically verify that specific, unmodified code is running inside a genuine TEE on specific hardware.
TEEs in VeriProof’s Enterprise Tier
VeriProof’s Enterprise Tier uses TEE-protected compute for the Confidential Notary component — the service that receives raw session data from your AI application, computes Merkle commitments, and stores encrypted audit records.
By running the Confidential Notary inside a TEE:
- Your session data is decrypted, processed, and re-encrypted entirely within the hardware-protected memory region
- Even VeriProof’s infrastructure administrators cannot read plaintext session data during processing
- The Merkle computation that produces the commitment sent to the blockchain is performed inside the TEE — you can verify that the commitment was computed correctly by checking the attestation report
TEE protection is available on Enterprise Federated plans. Standard Tier customers receive the same data isolation guarantees through software controls (EF Core filtering + PostgreSQL RLS), but without hardware-level memory encryption.
Supported TEE platforms
| Platform | Provider | Status |
|---|---|---|
| AMD SEV-SNP | Azure Confidential Computing (ACI) | ✅ Available |
| AWS Nitro Enclaves | AWS | Planned |
| GCP Confidential Space | Google Cloud | Planned |
The platform’s architecture uses a provider-agnostic attestation interface, so new TEE platforms can be added without changes to the core ingest pipeline.
What TEEs do not protect
TEEs protect data in memory during processing. They do not:
- Protect data after it leaves the TEE (storage encryption handles this separately)
- Prevent correct code running in a TEE from making inappropriate requests
- Replace application-level access controls or network security
VeriProof uses TEEs as one layer in a defense-in-depth architecture alongside encryption at rest, multi-tenant isolation, and network segmentation.
Next steps
- AMD SEV-SNP in VeriProof — how SEV-SNP is configured and deployed
- Attestation & Verification — how to verify a TEE report
- Enterprise Architecture — full Enterprise Federated deployment overview